Imperfect forward secrecy: How Diffie-Hellman fails in practice, ACM SIGSAC Conference on Computer and Communications Security (CCS), pp.5-17, 2015. ,
URL : https://hal.archives-ouvertes.fr/hal-01982426
Lucky microseconds: A timing attack on Amazon's S2N implementation of TLS, EUROCRYPT, pp.622-643, 2016. ,
On the security of RC4 in TLS, USENIX Security Symposium, pp.305-320, 2013. ,
Lucky thirteen: Breaking the TLS and DTLS record protocols, 2013 IEEE Symposium on Security and Privacy (SP 2013, pp.526-540, 2013. ,
Verifiable Side-Channel Security of Cryptographic Implementations: ConstantTime MEE-CBC, Fast Software Encryption (FSE), pp.163-184, 2016. ,
The Java SPI framework for security protocol implementation, Availability, Reliability and Security, pp.746-751, 2011. ,
DROWN: breaking TLS using SSLv2, USENIX Security Symposium, pp.689-706, 2016. ,
EasyCrypt: A tutorial, Foundations of Security Analysis and Design VII (FOSAD), ser. Lecture Notes in Computer Science, vol.8604, pp.146-166, 2014. ,
URL : https://hal.archives-ouvertes.fr/hal-01114366
New proofs for NMAC and HMAC: Security without collision-resistance, Advances in Cryptology (CRYPTO), pp.602-619, 2006. ,
The security of the cipher block chaining message authentication code, Journal of Computer and System Sciences, vol.61, issue.3, pp.362-399, 2000. ,
Authenticated encryption: Relations among notions and analysis of the generic composition paradigm, Advances in Cryptology-ASIACRYPT'00, pp.531-545, 2000. ,
A messy state of the union: taming the composite state machines of TLS, IEEE Symposium on Security & Privacy (Oakland), 2015. ,
URL : https://hal.archives-ouvertes.fr/hal-01114250
Verified models and reference implementations for the TLS 1.3 standard candidate, Inria, 2017. ,
URL : https://hal.archives-ouvertes.fr/hal-01575920
Downgrade resilience in key-exchange protocols, IEEE Symposium on Security and Privacy, pp.506-525, 2016. ,
URL : https://hal.archives-ouvertes.fr/hal-01425962
Triple handshakes and cookie cutters: Breaking and fixing authentication over TLS, IEEE Symposium on Security & Privacy (Oakland), pp.98-113, 2014. ,
DOI : 10.1109/sp.2014.14
URL : https://hal.archives-ouvertes.fr/hal-01102259
Language-based defenses against untrusted browser origins, USENIX Security Symposium, pp.653-670, 2013. ,
URL : https://hal.archives-ouvertes.fr/hal-00863372
Verified contributive channel bindings for compound authentication, Network and Distributed System Security Symposium (NDSS '15), 2015. ,
URL : https://hal.archives-ouvertes.fr/hal-01114248
Verified cryptographic implementations for TLS, ACM TOPLAS, vol.15, issue.1, p.32, 2012. ,
URL : https://hal.archives-ouvertes.fr/hal-00863381
Modular verification of security protocol code by typing, ACM Symposium on Principles of Programming Languages (POPL), pp.445-456, 2010. ,
Verified interoperable implementations of security protocols, ACM Transactions on Programming Languages and Systems, vol.31, issue.1, 2008. ,
Implementing TLS with verified cryptographic security, IEEE Symposium on Security & Privacy (Oakland), 2013. ,
URL : https://hal.archives-ouvertes.fr/hal-00863373
On the practical (in-)security of 64-bit block ciphers: Collision attacks on HTTP over TLS and OpenVPN, ACM SIGSAC Conference on Computer and Communications Security (CCS), pp.456-467, 2016. ,
URL : https://hal.archives-ouvertes.fr/hal-01404208
, Transcript collision attacks: Breaking authentication in TLS, IKE, and SSH, ISOC Network and Distributed System Security Symposium (NDSS), 2016.
A computationally sound mechanized prover for security protocols, IEEE Transactions on Dependable and Secure Computing, vol.5, issue.4, pp.193-207, 2008. ,
, Automatic verification of correspondences for security protocols, Journal of Computer Security, vol.17, issue.4, pp.363-434, 2009.
, Security protocol verification: Symbolic and computational models, Principles of Security and Trust, pp.3-29, 2012.
, Modeling and verifying security protocols with the applied pi calculus and ProVerif, Foundations and Trends in Privacy and Security, vol.1, issue.1-2, pp.1-135, 2016.
Chosen ciphertext attacks against protocols based on the RSA encryption standard PKCS# 1, Annual International Cryptology Conference, ser, vol.1462, pp.1-12, 1998. ,
A trusted mechanised javascript specification, ACM Symposium on the Principles of Programming Languages, pp.87-100, 2014. ,
URL : https://hal.archives-ouvertes.fr/hal-00910135
Proved generation of implementations from computationally secure protocol specifications, Journal of Computer Security, vol.23, issue.3, pp.331-402, 2015. ,
Aspier: An automated framework for verifying security protocol implementations, 2009 22nd IEEE Computer Security Foundations Symposium, pp.172-185, 2009. ,
Flow: Abstract interpretation of javascript for type checking and beyond, ACM Workshop on Programming Languages and Analysis for Security (PLAS), 2016. ,
Merkle-Damgård revisited: How to construct a hash function, Advances in Cryptology (CRYPTO), pp.430-448, 2005. ,
A survey of symbolic methods in computational analysis of cryptographic systems, Journal of Automated Reasoning, vol.46, issue.3-4, pp.225-259, 2011. ,
URL : https://hal.archives-ouvertes.fr/inria-00379776
Automated analysis and verification of TLS 1.3: 0-RTT, resumption and delayed authentication, IEEE Symposium on Security and Privacy, pp.470-485, 2016. ,
A design principle for hash functions, Advances in Cryptology-CRYPTO89, pp.416-427, 1989. ,
The Transport Layer Security (TLS) Protocol Version 1.2, IETF RFC, vol.5246, 2008. ,
To hash or not to hash again? (In)differentiability results for H 2 and HMAC, Advances in Cryptology (Crypto), pp.348-366, 2012. ,
On the security of public key protocols, IEEE Transactions on Information Theory, vol.29, issue.2, pp.198-207, 1983. ,
A cryptographic analysis of the TLS 1.3 handshake protocol candidates, ACM Conference on Computer and Communications Security (CCS), pp.1197-1210, 2015. ,
Key confirmation in key exchange: A formal treatment and implications for TLS 1.3, IEEE Symposium on Security and Privacy, pp.452-469, 2016. ,
Multi-stage key exchange and the case of Google's QUIC protocol, ACM SIGSAC Conference on Computer and Communications Security (CCS), pp.1193-1204, 2014. ,
A digital signature scheme secure against adaptive chosen-message attacks, SIAM Journal of Computing, vol.17, issue.2, pp.281-308, 1988. ,
QUIC: A UDP-based multiplexed and secure transport, 2016. ,
The SSL protocol, IETF Internet Draft, 1995. ,
On the security of TLS-DHE in the standard model, CRYPTO 2012, pp.273-293, 2012. ,
On the security of TLS 1.3 and QUIC against weaknesses in PKCS#1 v1.5 encryption, ACM SIGSAC Conference on Computer and Communications Security (CCS), pp.1185-1196, 2015. ,
Automated verification for secure messaging protocols and their implementations: A symbolic and computational approach, IEEE European Symposium on Security and Privacy, 2017. ,
URL : https://hal.archives-ouvertes.fr/hal-01575923
Cryptographic extraction and key derivation: The HKDF scheme, Advances in Cryptology (CRYPTO), pp.631-648, 2010. ,
, A unilateral-to-mutual authentication compiler for key exchange (with applications to client authentication in tls 1.3), ACM SIGSAC Conference on Computer and Communications Security (CCS), pp.1438-1450, 2016.
On the security of the TLS protocol: A systematic analysis, CRYPTO 2013, pp.429-448, 2013. ,
The OPTLS protocol and TLS 1.3, IEEE European Symposium on Security & Privacy (Euro S&P), 0978. ,
URL : https://hal.archives-ouvertes.fr/hal-01378195
A framework for the cryptographic verification of Java-like programs, IEEE Computer Security Foundations Symposium (CSF), pp.198-212, 2012. ,
Elliptic curves for security, IRTF RFC, vol.7748, 2016. ,
Multiple handshakes security of TLS 1.3 candidates, IEEE Symposium on Security and Privacy, pp.486-505, 2016. ,
How secure and quick is QUIC? provable security and performance analyses, IEEE Symposium on Security & Privacy (Oakland), pp.214-231, 2015. ,
On the soundness of authenticate-thenencrypt: formalizing the malleability of symmetric encryption, ACM SIGSAC Conference on Computer and Communications Security (CCS), pp.505-515, 2010. ,
A cross-protocol attack on the TLS protocol, ACM CCS, 2012. ,
Revisiting SSL/TLS implementations: New Bleichenbacher side channels and attacks, 23rd USENIX Security Symposium. USENIX Association, pp.733-748, 2014. ,
This POODLE bites: exploiting the SSL 3.0 fallback, 2014. ,
The gap-problems: a new class of problems for the security of cryptographic schemes, Practice and Theory in Public Key Cryptography (PKC), pp.104-118, 2001. ,
Tag size does matter: Attacks and proofs for the TLS record protocol, ASIACRYPT, pp.372-389, 2011. ,
Reactive and proactive standardisation of TLS, Security Standardisation Research (SSR), pp.160-186, 2016. ,
Transport Layer Security (TLS) session hash and extended master secret extension, 2015. ,
TLS renegotiation indication extension, IETF RFC, vol.5746, 2010. ,
, , 2015.
, TLS] PR#875: Additional Derive-Secret stage, 2017.
Automated analysis of Diffie-Hellman protocols and advanced security properties, IEEE Computer Security Foundations Symposium (CSF), pp.78-94, 2012. ,
Espectro project description, 2016. ,
Dependent types and multi-monadic effects in F*, ACM Symposium on Principles of Programming Languages, pp.256-270, 2016. ,
URL : https://hal.archives-ouvertes.fr/hal-01265793
All your biases belong to us: Breaking RC4 in WPA-TKIP and TLS, USENIX Security Symposium, pp.97-112, 2015. ,
Analysis of the SSL 3.0 protocol, USENIX Electronic Commerce, 1996. ,
A verified extensible library of elliptic curves, IEEE Computer Security Foundations Symposium (CSF), pp.296-309, 2016. ,
URL : https://hal.archives-ouvertes.fr/hal-01425957
We show the following properties: ? mac k H (m) = mac k (H(m)) is an SUF-CMA (strongly unforgeable under chosen message attacks) MAC. Indeed, since mac = HMAC-H is a PRF, it is an SUF-CMA MAC as shown in [10], and this property is preserved by composition with a collision-resistant hash function. ? sign sk H (m) = sign sk (H(m)) is an UF-CMA signature. Indeed, sign is an UF-CMA signature, and this property is preserved by composition with a collision-resistant hash function ,
, e) and log 1 ? derive-secret(es, ets c , log 1 ) are indistinguishable from independent random functions, and k b = derive-secret(es, pbk, are indistinguishable from independent fresh random values independent from these random functions
, log 1 )derive-secret(hs, hts s , log 1 ) is indistinguishable from a random function and hkdf-extract(hs, 0 len H() ) is indistinguishable from a fresh random value independent from this random function. ? When ms is a fresh random value, the functions log 4 ? derive-secret(ms, ats c , log 4 )derive-secret(ms, ats s , log 4 )derive-secret(ms, ems, log 4 ) and log 7 ? derive-secret(ms, rms, ? When hs is a fresh random value, log 1 ? derive-secret(hs, hts c
, ? When l 1 , l 2 , l 3 are pairwise distinct labels and s is a fresh random value, hkdf-expand-label(s, l i, vol.2, p.3